In an incident reminiscent of the NSA hacking tools leaked by them Shadow Brokers, someone has published similar hacking tools belonging to one of Iran's top espionage teams, known as APT34, Oilrig or HelixKitten.
The leaked hacking tools are not as specialized as the NSA tools leaked by 2017, but they are extremely dangerous.
They also spilled the data of the victims of the tools and circulated online.
The tools leaked from mid-March on a Telegram channel from a person using Lab Dookhtegan as a pseudonym.
In addition to hacking tools, Lab Dookhtegan published data from APT34 victims. The data contains combinations of names and passwords and appears to have been collected through phishing pages.
Let's say his Twitter account is closed for obvious reasons
https://twitter.com/dookhtegan
Several cyber security experts have already confirmed the authenticity of the tools.
On the Telegram Channel that was discovered today, the hacker has leaked the source code of six hacking tools and the content from many active backend panels where the victims' data was collected.
Hacking tools:
- Glimpse (newer version of a PowerShell-based trojan named Palo Alto Networks BondUpdater)
- PoisonFrog (older version of BondUpdater)
- HyperShell (web shell called Palo Alto Networks TwoFace)
- HighShell (another web shell)
- Fox Panel (phishing kit)
- Webmask (DNS tunneling, main tool behind DNSPionage)
In addition to the source code of the above tools, Dookhtegan also leaked victim data collected on some of the APT34 team command and control servers (C&C).
Overall, Dookhtegan leaked data from 66 victims, mainly from the Middle East, Africa, East Asia and Europe.
Data comes from government agencies, but also from private companies. The two largest companies listed on the telegraph channel are Etihad Airways and Emirates National Oil. A list of victims (but without company / governmental names) is available below.
___________________